CVE-2026-28025 identifies a Local File Inclusion (LFI) vulnerability in the ThemeREX Stargaze WordPress theme, specifically due to improper control over the filename parameter used in PHP include or require statements. This vulnerability arises when the application fails to properly validate or sanitize user input that determines which files are included during runtime. As a result, an attacker can manipulate the filename parameter to include arbitrary files from the server's filesystem. This can lead to disclosure of sensitive information such as configuration files, source code, or credentials stored on the server. In some cases, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or misconfigurations. The affected versions include all releases up to and including version 1.5 of the Stargaze theme. The vulnerability was published on March 5, 2026, with no CVSS score assigned yet and no known exploits in the wild. The lack of patch links suggests that a fix has not been publicly released at the time of this report. The vulnerability is categorized under improper control of filename for include/require statements, a common PHP security issue that can have severe consequences if exploited. The attacker does not require user interaction but may need to access the web interface or send crafted requests to trigger the vulnerability. The theme is used in WordPress environments, which are widely deployed globally, increasing the potential attack surface.

The primary impact of CVE-2026-28025 is unauthorized access to sensitive files on the web server hosting the affected WordPress site. This can lead to disclosure of critical information such as database credentials, configuration files, or source code, which attackers can use to further compromise the system. In some scenarios, LFI vulnerabilities can be chained with other exploits to achieve remote code execution, leading to full system compromise. For organizations, this can result in data breaches, website defacement, loss of customer trust, and potential regulatory penalties. Since WordPress powers a significant portion of websites worldwide, and themes like Stargaze are used in various industries including e-commerce, media, and corporate sites, the scope of impact is broad. The absence of known public exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are widely known. The vulnerability's ease of exploitation, without requiring authentication or user interaction, increases the risk profile. Organizations with publicly accessible WordPress sites using the affected theme are particularly vulnerable to automated scanning and exploitation attempts.

Organizations should immediately audit their WordPress installations to identify if the Stargaze theme version 1.5 or earlier is in use. Until an official patch is released, administrators should consider temporarily disabling or replacing the theme to prevent exploitation. Implement strict input validation and sanitization on any parameters that control file inclusion paths, ensuring only intended files can be included. Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit LFI vulnerabilities, such as suspicious traversal sequences or unusual parameter values. Restrict file permissions on the server to limit access to sensitive files and directories, minimizing the impact of any successful inclusion. Monitor web server logs and intrusion detection systems for signs of exploitation attempts, including unusual requests targeting include or require parameters. Keep WordPress core, themes, and plugins up to date and subscribe to vendor security advisories for timely patch information. Consider implementing Content Security Policy (CSP) headers to reduce the risk of code injection. Finally, conduct regular security assessments and penetration testing focused on file inclusion and other common web vulnerabilities.